Post By: Ben Brook, CEO, Transcend
Since GDPR became enforceable in mid-2018, compliance leaders have taken a leading role in managing data privacy compliance for that landmark regulation, as well as for the waves of legislation that followed, including California’s CCPA, Brazil’s LGPD, and in August 2021, China’s PIPL. Compliance leaders knew the value of implementing data privacy best practices, but until recently, corporate leadership assumed that “checking the box” would be good enough. They assumed that going deeper on data privacy would be expensive and risk losing a competitive edge, and so compliance was somewhat marginalized in their efforts to evolve. I believe this is all about to change. 2022 will be the year that the majority of companies finally get serious about data privacy, prompted by real market shifts including increased regulatory, consumer, and business demands.
In this new world, corporate leadership will finally recognize that data privacy isn’t a cost center, but instead offers an opportunity to avoid financial or reputational pain while simultaneously building consumer confidence and affinity. Companies that make a commitment to privacy a visible part of their corporate brand promise will be winning by the end of 2022.
Of course, those best suited to drive this shift are the compliance officers who have the deepest understanding of regulation, along with a healthy respect for where market sentiment is headed.
- Fines have started hitting companies where it hurts – in their pocketbooks and reputations.
At the most basic level, your organization needs to have a healthy understanding of what non-compliance will cost your company. The early days of enforcement were child’s play compared to what is coming in 2022 and beyond. By keenly watching what happens in the courts, most companies will decide that investing more heavily in compliance is money well spent.
Among other consequences, we saw two landmark fines in 2021, the Luxembourg DPA’s fine of Amazon and Ireland’s DPC’s fine of WhatsApp that broke previous GDPR enforcement fines by 15x and 5x respectively. The CCPA is poised to be enforced in the U.S., based on a flurry of recent letters and guidance. And, while Virginia’s and Colorado’s laws won’t be enforced until 2023, there is every reason to assume that these jurisdictions will also take serious enforcement action. China’s future-looking enforcement is a wild card, and one not to be taken lightly.
Sharing potential outcomes and real-world judgements with your executive team will offer additional evidence that the tides are shifting, perhaps providing a helpful forcing function for change.
- Consumer sentiment has changed, likely forever.
Today’s consumers care about their data rights – and they know more about them too. Data privacy and data rights produce near daily headlines. Consumer surveys on the issues almost uniformly point to greater personal know-how and greater dissatisfaction with the status quo. In fact, in a survey my own company conducted, 93% of Americans would switch to a company that prioritizes their data privacy if possible, and Americans are largely frustrated by the fact they don’t have control over their personal data (88%).
From Apple’s landmark decision to ask for explicit permission to track across apps, which empowers consumers, to the public backlash against Facebook, which has been accused of abusing consumer trust, the pressure to address data rights is on.
I believe that because of these very public market shifts, consumers will begin to exercise their data rights at scale. In order to meet that demand, compliance will need to be encoded via technology solutions, versus manual processes that are necessarily inefficient, expensive, and potentially error-prone.
- Compliance teams can’t do it alone.
Your teams are no stranger to carrying the privacy compliance load, and it is time that the executive team, engineering, marketing, product and legal teams join you.
Here’s where your experience and expertise is invaluable, as you’ve been on the front lines of compliance until now. You can offer your leadership team data intelligence they might not have seen coming—sharing insights into consumer sentiment and the potential costs of non-compliance, along with solid predictions on what we collectively can expect to happen next from a regulatory perspective. You can stake out a role as the “go-to” resource on all issues related to data privacy, and you can use this role to educate the teams that need to come up to speed.
Consider hosting cross-functional AMAs that outline what regulations are coming, what potential impacts will be, and what you can do to address these looming milestones. These are opportunities to bring each department up to speed, and give them the opportunity to ask questions about the implications and your recommendations.
Of course coordination across departments can be challenging, but the company-wide benefits will be enormous. By institutionalizing consumer-friendly, privacy-first policies, data privacy will start to shift from a potential challenge to a business advantage. In short, you’re likely to not just change your privacy stance, but build an organization that has privacy respect built in across departments.
Perhaps you take it one step further and eventually work with legal to codify the suggested changes into commitments you can share publicly on your website, or in other materials.
- Automation saves time and money while improving accuracy.
Today, data privacy requests, and the process of collating a user’s data across teams and data systems, are often handled manually, which is remarkably inefficient and time consuming. 2022 will be the year of automation, because the potential workload of multi-regional human-led compliance will become impractical. As mentioned, companies will be rethinking their compliance processes because of increased regulation and judgements, as well as consumer’s swelling interest in exercising their rights.
The only way to keep pace will be to automate these manual processes to take the burden off your engineering, compliance and legal teams. Potential vendors should be able to effectively demonstrate that they have an automated, comprehensive offering that addresses organizational requirements without adding any security risk or requiring development time.
There’s a promising future ahead.
Staking a leadership role for the company starts with your direction on how to transform your privacy program from reactive to proactive, calling attention to the changing landscape I’ve outlined here. It is carried through the organization when leadership understands that the organizational POV must be re-framed into a more consumer-friendly and privacy-first perspective.
As consumers exercise their data rights in record numbers, as enforcement increases, as new regulations both come into force and are signed into law, and as your company realizes the benefits of being privacy-first, you will come to look back at 2022 as a pivotal year in which the decisions you made paid off enormously.
Moreover, as your company introduces new products, services or technologies, you’ll have a clear roadmap on data privacy and data collection. The reputational lift you get from properly protecting consumer data rights will offer the entire organization an important lesson in valuing and respecting your users.
If this feels like a worthy and valuable endeavor, the opportunity to start now is yours.